As reported in the October 18th installment of this newsletter,a key weakness of a “single sign-in authentication system” suchas Microsoft Passport–aside from the fact that one isentrusting one’s data to an entity that stands to gainimmensely by selling or exploiting it–is that once it’scompromised, your whole life is an open book (or wallet). Onlyone week after the debut of Microsoft’s Windows XP (which badgersusers to sign up for Passport), the risk was demonstrated,dramatically, when security expert and Apache developer MarkSlemko showed how a simple cross-site scripting attack allowedhim to obtain and exploit any Hotmail user’s Passport credentials.

Microsoft has claimed that, as far as it knows, no one has actuallyhad his or her identity stolen via this security hole. (Of course,since charges can take time to make their way to credit cardcompanies, and credit card customers may not receive their billsfor up to one month after that, it is too early to tell whetheranyone’s wallet was filched.) But at the same time that it was“spinning” the issue, Microsoft shut down Passport’s “ExpressPurchase” feature in an attempt to reduce thedanger.

What other security holes lurk within Microsoft’s Passportservice? It’s too early to tell, but the odds are great thatmore will be discovered. After all, Slemko says that he spentless than one hour dreaming up and implementing what he consideredto be a rather obvious exploit.

Knowledgeable systems administrators do not use–or evenenable–the Telnet protocol on their machines, because itsends passwords across public networks unprotected byencryption. Instead, most rely on SSH, which encrypts bothpasswords and data. Unfortunately, many recent versions ofthe SSH server software–both commercial and cooperativelydeveloped–contain a bug that allows crackers to breakinto any system that runs them. Anyone who administers serversrunning the SSH protocol–regardless of operating system–should review the advisories below and ensure that they arenot running susceptible server software.

Veteran technologist Paul Vixie, speaking at a meeting ofICANN in Monterey, California, voiced publicly a fact ofwhich many Internet aficionados are already aware: It wouldtake very little effort on the part of a malicious hacker toshut down the Domain Name System (DNS), effectively “bringingdown” the Internet.

Currently, the domain name system can in fact be compromisedvia an attack on the 13 “root servers,” the servers thathandle top-level domains, and the registrars who maintainthe databases of domains owned by others.

According to a Reuters article, many saw ICANN’s sudden focuson security interests as an opportunistic attempt to divert publicattention from serious issues involving he governance of theInternet and of ICANN itself. Many also question whether securitylies within the scope of ICANN’s responsibility or authority.Reuters quotes Rodney Joffe, Chairman of Ultra DNS, as saying,“It’s relevant in general, but I don’t think ICANN needs to focuson it…. Security is, after all, a technical issue, not anadministrative one.”

At Microsoft’s recent “Trusted Computing Forum,” several companies–including Bindview, Foundstone, Guardent, @Stake, and Internet SecuritySystems — agreed to limit what they disclosed about securityvulnerabilities in Microsoft software. According to the agreement,the companies involved will publish only vague information aboutvulnerabilities rather than detailed analyses that might allow hackersto exploit them.

The announcement drew fire from many in the security community. Thecritics note that companies such as Microsoft have long refused toacknowledge bugs until they are publicly and fully disclosed. Theysay that their nearly universal experience is that corporations —especially large ones–will seek to suppress information aboutproblems so as to give the public the impression that their productsare more secure than they actually are, and will leave users atrisk.

Your Humble Author was among the first to advocate tailoringdisclosure policies so as to minimize harm (see last link below).But will Microsoft’s proposed policies do this? Or will they serve as asmokescreen for the company, allowing it to continue to produceinsecure software? The fact is, alas, that there has been no formalresearch into the effects of different disclosure policies, so anyproposal presented by a player with a vested interest does meritserious scrutiny.

This site may earn affiliate commissions from the links on this page. Terms of use.

ExtremeTech Newsletter

Subscribe Today to get the latest ExtremeTech news delivered right to your inbox.

Email

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our
Terms of Use and
Privacy Policy. You may unsubscribe from the newsletter at any time.